Re: Updates of SE-PostgreSQL 8.4devel patches

Bruce Momjian wrote:
> KaiGai Kohei wrote:
>> Robert Haas wrote:
>>>> Can you *do* the row-level permission?
>>> I don't think there's any consensus on a design.
>> Yes, unfortunatelly.
>> No one replied to my proposed design:
>>    http://marc.info/?l=pgsql-hackers&m=122222470930544&w=2
> 
> Yes, we got stuck on the covert channels issue.  Frankly I think the use
> of non-natural keys addresses most of the covert channel issues and
> should be recommended for secure setups --- I don't think we are going to
> do any better than that and think we need to move forward on that
> assumption.  We can cite
> http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.33.5950, which
> outlines the security risks.

I talked to someone in the Solaris Trusted Extension group last week. 
Their stance is basically that they don't worry about covert channels, 
because it is too hard or impossible to get right.  Their main criterion 
about what to hide is what gives existing applications a consistent view 
of the world in spite of the presence of additional access controls, for 
example to avoid being forced to return errors to applications that 
cannot happen in normal circumstances.